Opened 5 years ago
Last modified 5 years ago
#31218 closed Bug
response.set_cookie method not accepting "samesite" key set to "None" in release versions — at Initial Version
Reported by: | Adrien Carpentier | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | 2.2 |
Severity: | Normal | Keywords: | set_cookie, SameSite, CSRF, cookie |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Google is now requesting, starting from Chrome 80 (from February 4th), to add "SameSite=None; Secure" to cookies (https://www.chromium.org/updates/same-site), otherwise it will not be considered as not CSRF-proof anymore by Chrome.
In all Django release branches, response.set_cookie method is not accepting "samesite" key set to "None" , but it seems it has been done in master branch (https://www.chromium.org/updates/same-site).
Do you know when it will be merged to release branche(s)?